FireWall-1 FAQ: Routers That Work With SecureClient
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
LinkSys routers can pass SecuRemote connections provided the following is true:
- Firewall should be at version 4.1 SP3 or above.
- Firewall and users are both defined to use IKE (not FWZ) with 3DES encryption and SHA1 authentication (MD5 doesn't work).
- Secure Client is configured to use IKE as it's default encryption scheme. UDP Encapsulation is highly recommended, but not required.
- Linksys router has firmware version 1.39 or above and one of the following enabled (not all options work in all situations): Enable the DMZ feature for the host doing SecuRemote Enable port forwarding for port 500 to the PC doing the VPN Enable port triggering on port 500 (no need to specify which machine) Enable SPI (Stateful Packet Inspection) mode ** Enable IPSec Passthru
See also the FAQ: Secure Client and NAT
To make the NETGEAR FM114P firewall router work with securemote or secureclient you'll have to make to following changes:
First setup your securemote/client to "force UDP encapsulation" (Tools > Advanced IKE settings > check force UDP encapsulation) Don't forget to restart the client!
Next, go to your router web interface, normally http://192.168.0.1 Go to "Services" (left side)
Click on "Add custom services" Name: IPSEC500 Type: UDP Start Port: 500 Finish Port: 500 click apply
Click on "Add custom services" Name: IPSEC2746 Type: UDP Start Port: 2746 Finish Port: 2746 click apply
Goto to "Rules" (left side)
On the "inbound service" section, click ADD Service: IPSEC500(UDP:500) Action: ALLOW always Send to LAN Server: the IP of your computer using the client click apply
On the "inbound service" section, click ADD Service: IPSEC2746(UDP:2746) Action: ALLOW always Send to LAN Server: the IP of your computer using the client click apply
This should do the trick. To make things more secure you could also define the IP range your company uses. (WAN users)
I have personally had no problems with Nexland routers. However, to support two or more clients going to same firewall in NG, you will need to make a change to the firewall configuration.
To change the VPN-1/FireWall-1 NG behavior to that of VPN-1/FireWall-1 4.1, proceed as follows:
On the Management Server
Use the dbedit utility to set the udp_encapsulation_by_qm_id property to false, as shown below (in the following example the VPN-1/FireWall-1 administrator name is "fwadmin"): dbedit> modify properties firewall_properties udp_encapsulation_by_qm_id false dbedit> update properties firewall_properties Open the Policy Editor, click Yes when asked to update your topology data due to inconsistencies. Install the security policy A phoneboy.com reader writes: "The IPSec implementation in the Netgear MR 814 won't work with ecuRemote FP3 (or others, I expect). I got Outlook 2000 to work talking to an Exchange 2000 server, but double-clicking on 'My Computer' to see mapped drives hung the computer indefinitely. Switching back to my trusty Nexland ISB 400 worked just fine. Had the same results on 2 different computers attached to this Netgear. I tried it again to make sure of what I was seeing. With older (bad) versions of SecuRemote (like 4176) I have experienced shared drives working, but Outlook hanging."
D-Link 802.11b/g Routers
DI-614+ - works if you enable IPSEC Passthru and upgrade the firmware
DSL-604+ - works if you enable IPSEC Passthru and upgrade the firmware
DSL-G604T - works if you enable IPSEC Passthru
go to ftp://ftp.dlink.com for the firmware upgrades.
Comment on Netgear Routers
Comment from Daniel Chee: Just wanted to let you know that your site is very helpful in getting my SecureClient? to work. I also wanted to let you know that the Netgear WGR614 v3 that I had did not work with SecureClient?. It is supposed to have IPSec passthru enabled by default and I cannot find any setting in the management console to force it to enable/disable. Port forwarding all the necessary ports and it still wouldn't work right. The client will connect for about 5 minutes and then disconnect immediately. Netgear support was useless, simply telling me to port forward and then never reply to my follow up question.
I replaced the Netgear with a Linksys WRT54G and it has been flawless since.